Hi there,
it’s unfortunate that this isn’t even possible on explicit user input or by requesting permissions.
I’m the author of the LocalLink addon which adds a context submenu to the page context menu so that users can open file:// links contained in web pages. (Some bad content systems do this so that users rely on it.) Note that this requries explicit interactions, I’m not circumventing same-origin policy for “ordinary link clicks”.
In the XUL version of my addon, I use window.loadURI(uri, null, null), openNewTabWith(uri, null, null, event) and openNewWindowWith(uri, null, null) to open those uris irrespective of checkloaduri.
I ported the context menu and such to webextensions now, but browser.tabs.update() and window.open() called from a background script are subject to the same-origin restrictions, no loading of file:// uris
requesting "file://*/" permissions in manifest.json does not help either. MDN docu suggests "content_security_policy": "script-src 'self'; object-src 'self'; navigation-to 'filesystem:'" but my Firefox 56 does not know navigation-to, and I don’t think Firefox 57 does.
Entering file:// uris in the address bar directly works, of course. Is there any way to (request a permission to be able to) to do this from a webextension? I.e., based upon user input, update a tab or create a new one that navigates to a given file:// uri?
Michael